Extended Protection and Authentication

mara2021 1,036 Reputation points
2024-04-28T02:47:32.7166667+00:00

We are a hybrid deployment. Exchange Server 2019 (SRV01 and SRV02). We use ADSync. The servers are in a DAG. They are behind a load balancer. Our users are in Exchange Online. We have an SMTP relay. We have an on-premises mailbox for our on-premises archiver application. Exchange online forwards the email to this mailbox (considered a 3rd party mailbox). The mailbox sends emails to the archiver server. Both servers are configured for TLS1.2, NTLM is set to send NTLMv2 responses only. Refuse LM & NTLM. Extended Protection is enabled on SRV01. Extended Protection is not enabled on SRV02.

SRV02 shows successes for the mailbox and is only using NTLMv2.

SRV01(extended protection enabled) shows failures for the mailbox and is only using NTLM.

Extended protection is the only difference on the server. Everything else is the same.

Is the enabled Extended Protection causing the failures? If it was NTLMv2 responses only, I would think failures would be on SRV02 also.

Any suggestions on what may be causing this and how to fix? Thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,210 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,369 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,901 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. OLATUNJI AYODELE ABIDEMI 0 Reputation points
    2024-04-29T13:46:48.91+00:00

    Microsoft Extended Protection for Authentication (EPA) is a security feature that enhances the protection of user authentication credentials and prevents unauthorized access to resources. It's designed to mitigate common attacks like man-in-the-middle, replay, and credential forwarding.

    EPA introduces two main components:

    1. Channel Binding: Verifies the identity of the client and server in a authentication session, ensuring that both parties are genuine and not impersonated.
    2. Authentication Header: Adds an extra layer of protection to the authentication process by inserting a unique token in the authentication header, making it difficult for attackers to reuse or tamper with the credentials.

    EPA supports various authentication protocols, including:

    • NTLM (NT LAN Manager)
    • Kerberos
    • TLS-DSK (Transport Layer Security-Desktop Single Sign-On)

    Benefits of Microsoft Extended Protection for Authentication:

    • Improved security for user authentication
    • Enhanced protection against credential-based attacks
    • Better compliance with security standards and regulations
    • Compatible with existing authentication infrastructure

    By implementing EPA, organizations can strengthen their authentication processes and reduce the risk of unauthorized access to sensitive resources.